COMPUTER ARCHITECTURE FOR AN INTRUSION DETECTION SYSTEM 

S.N. 09/878,320 
Inventor: Mark Crosbie, et al. 
DocketNo. 10012170-1 



FIG. 1 




CORRELATION 
ENGINE 

78 



+ 









KERNEL 
AUDIT 
DATA 

70 




SYSLOG 
DATA 

11 



COMPUTER ARCHITECTURE FOR AN INTRUSION DETECTION SYSTEM 

S.N. 09/878,320 
Inventor: Mark Crosbie, et al. 
Docket No. 10012170-1 



FIG. 2 



cron 



250 



N 
V 



How do the agent 
processes fit together? 



1 



idsSSLagent 
200 



idsagent 

Controls ail agent 
processes 





Alert msgs. 
from idscor 



idscor 

Correlates data from 
DSPs and 
detects intrusions 



idssysdsp 

Gathers data from 
system 
log files (syslog etc.) 

s, WJ 



Local alert file 



Response 
Script 



260 



Detection 
templates 



isdkerndsp 

Gathers data from 
kernel 
IDDS driver 
240 



System call data 
from kernel 



IDDS Kernel 
Driver 

270 



COMPUTER ARCHITECTURE FOR AN INTRUSION DETECTION SYSTEM 

S.N. 09/878,320 
Inventor: Mark Crosbie, et al. 
DocketNo. 10012170-1 
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